BookStack/app/Http/Controllers/Auth/MfaController.php

<?php

namespace BookStack\Http\Controllers\Auth;

use BookStack\Actions\ActivityType;
use BookStack\Auth\Access\Mfa\MfaValue;
use BookStack\Http\Controllers\Controller;
use BookStack\Http\Request;

class MfaController extends Controller
{
    use HandlesPartialLogins;

    /**
     * Show the view to setup MFA for the current user.
     */
    public function setup()
    {
        $userMethods = $this->currentOrLastAttemptedUser()
            ->mfaValues()
            ->get(['id', 'method'])
            ->groupBy('method');
        return view('mfa.setup', [
            'userMethods' => $userMethods,
        ]);
    }

    /**
     * Remove an MFA method for the current user.
     * @throws \Exception
     */
    public function remove(string $method)
    {
        if (in_array($method, MfaValue::allMethods())) {
            $value = user()->mfaValues()->where('method', '=', $method)->first();
            if ($value) {
                $value->delete();
                $this->logActivity(ActivityType::MFA_REMOVE_METHOD, $method);
            }
        }

        return redirect('/mfa/setup');
    }

    /**
     * Show the page to start an MFA verification.
     */
    public function verify(Request $request)
    {
        // TODO - Test this
        $desiredMethod = $request->get('method');
        $userMethods = $this->currentOrLastAttemptedUser()
            ->mfaValues()
            ->get(['id', 'method'])
            ->groupBy('method');

        // Basic search for the default option for a user.
        // (Prioritises totp over backup codes)
        $method = $userMethods->has($desiredMethod) ? $desiredMethod : $userMethods->keys()->sort()->reverse()->first();
        $otherMethods = $userMethods->keys()->filter(function($userMethod) use ($method) {
            return $method !== $userMethod;
        })->all();

        return view('mfa.verify', [
            'userMethods' => $userMethods,
            'method' => $method,
            'otherMethods' => $otherMethods,
        ]);
    }
}
Started barebones work of MFA system 2021-06-28 21:02:45 +00:00			`<?php`

			`namespace BookStack\Http\Controllers\Auth;`

Added the ability to remove an MFA method Includes testing to cover 2021-07-14 20:27:21 +00:00			`use BookStack\Actions\ActivityType;`
			`use BookStack\Auth\Access\Mfa\MfaValue;`
Started barebones work of MFA system 2021-06-28 21:02:45 +00:00			`use BookStack\Http\Controllers\Controller;`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 15:52:31 +00:00			`use BookStack\Http\Request;`
Started barebones work of MFA system 2021-06-28 21:02:45 +00:00
			`class MfaController extends Controller`
			`{`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 15:52:31 +00:00			`use HandlesPartialLogins;`

Started barebones work of MFA system 2021-06-28 21:02:45 +00:00			`/**`
			`* Show the view to setup MFA for the current user.`
			`*/`
			`public function setup()`
			`{`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 15:52:31 +00:00			`$userMethods = $this->currentOrLastAttemptedUser()`
			`->mfaValues()`
Complete base flow for TOTP setup - Includes DB storage and code validation. - Extracted TOTP work to its own service file. - Still needs testing to cover this side of things. 2021-06-30 21:10:02 +00:00			`->get(['id', 'method'])`
			`->groupBy('method');`
			`return view('mfa.setup', [`
			`'userMethods' => $userMethods,`
			`]);`
Started barebones work of MFA system 2021-06-28 21:02:45 +00:00			`}`
Added the ability to remove an MFA method Includes testing to cover 2021-07-14 20:27:21 +00:00
			`/**`
			`* Remove an MFA method for the current user.`
			`* @throws \Exception`
			`*/`
			`public function remove(string $method)`
			`{`
			`if (in_array($method, MfaValue::allMethods())) {`
			`$value = user()->mfaValues()->where('method', '=', $method)->first();`
			`if ($value) {`
			`$value->delete();`
			`$this->logActivity(ActivityType::MFA_REMOVE_METHOD, $method);`
			`}`
			`}`

			`return redirect('/mfa/setup');`
			`}`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-16 22:23:36 +00:00
			`/**`
			`* Show the page to start an MFA verification.`
			`*/`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 15:52:31 +00:00			`public function verify(Request $request)`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-16 22:23:36 +00:00			`{`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 15:52:31 +00:00			`// TODO - Test this`
			`$desiredMethod = $request->get('method');`
			`$userMethods = $this->currentOrLastAttemptedUser()`
			`->mfaValues()`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-16 22:23:36 +00:00			`->get(['id', 'method'])`
			`->groupBy('method');`

Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 15:52:31 +00:00			`// Basic search for the default option for a user.`
			`// (Prioritises totp over backup codes)`
			`$method = $userMethods->has($desiredMethod) ? $desiredMethod : $userMethods->keys()->sort()->reverse()->first();`
			`$otherMethods = $userMethods->keys()->filter(function($userMethod) use ($method) {`
			`return $method !== $userMethod;`
			`})->all();`

Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-16 22:23:36 +00:00			`return view('mfa.verify', [`
			`'userMethods' => $userMethods,`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 15:52:31 +00:00			`'method' => $method,`
			`'otherMethods' => $otherMethods,`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-16 22:23:36 +00:00			`]);`
			`}`
Started barebones work of MFA system 2021-06-28 21:02:45 +00:00			`}`